On Wed, Jun 07, 2017 at 09:40:53PM +0200, Arturo Borrero Gonzalez wrote:
> On 7 June 2017 at 10:35, Ismo Puustinen <ismo.puustinen@xxxxxxxxx> wrote:
> >
> > +static int directoryfilter(const struct dirent *de)
> > +{
> > + if (strcmp(de->d_name, ".") == 0 ||
> > + strcmp(de->d_name, "..") == 0)
> > + return 0;
> > +
> > + /* Accept other filenames. If we want to enable filtering based on
> > + * filename suffix (*.nft), this would be the place to do it.
> > + */
> > +
>
> This filter by suffix is good to have IMHO.
> I guess that forcing users to explicitly create a file for nftables
> (or at least give a specific suffix) reduces chances for user errors.
You mean, this new include directory feature just takes *.nft files,
right?
Then, to keep it consistent, we should also display a warning in
include file with no .nft postfix. At deprecate the existing behaviour
at some point, ie. bail out if you include a file that has no trailing
.nft in its name.
If we follow this path, all ruleset file will end up using .nft as
a trailer in the name.
Is there any other similar software following this approach? How is
'ferm' doing this?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
